In October 2015, the European Court of Justice invalidated the US-EU Safe Harbor Program in the landmark Schrems v. Data Protection Commissioner decision. The Safe Harbor was a 15-year old program that had allowed American firms to transfer EU citizens’ data to the United States, subject to certification of compliance with privacy principles equivalent to the EU’s data protection directive. Although the immediate result of Schrems was to strike down the Safe Harbor framework, the plaintiff’s substantive claims were based on his belief that the US government’s ongoing data-surveillance efforts violate the privacy protections afforded to EU citizens’ data.
In the wake of Schrems, affected companies scrambled to find alternative means of navigation. These included the EU’s Standard Contractual Clauses (i.e., standard contracts approved by the European Commission under which the affected firm agrees to comply with EU data protection standards), Binding Corporate Rules (i.e., internal policies governing data transfers within a corporate group, which must be approved by national data protection authorities in the EU), individualized consents of the data subjects and even re-location of US data centers to EU territory. Complicating things further, reliance upon Standard Contractual Clauses and Binding Corporate Rules was called into question by the same concerns that drove Schrems.
Attempting to restore some regulatory certainty to this area, US and EU policymakers have been working on a new “Privacy Shield” framework to replace the Safe Harbor. The Privacy Shield was publicly announced in March 2016. It is expected to be voted upon by the EU’s Article 31 Committee later this month. Assuming that it receives regulatory approval, the Privacy Shield could be in effect by early July.
Given these efforts (and setting aside predictions that the Privacy Shield would suffer a similar legal fate as the Safe Harbor), it would seem reasonable to predict a return to relative tranquility in trans-Atlantic data flows. Alas, just when you thought it was safe to go back in the trans-Atlantic data transfer waters, a majority of British voters elected to take the United Kingdom – currently the world’s fifth largest economy – out of the EU entirely in the June 23rd “Brexit” referendum.
Brexit undoubtedly will have wide-ranging legal and economic impacts on the UK and entities doing business with British firms. From a privacy and data security perspective, data flows into and out of the UK will return to an exclusively national regulatory scheme. This, in turn, will require modification to disentangle its own provisions from existing EU privacy directives.
In the near term, the US Department of Commerce may well find itself in yet another round of safe harbor negotiations, only this time with the UK’s Information Commissioner’s Office rather than the European Commission. It remains to be seen whether UK regulators will be more accommodating to US data processors than the EU has traditionally been, but the long-standing intelligence sharing relationships between the US and the UK (e.g., the “Five Eyes” signals intelligence alliance among the US, Canada, the UK, Australia and New Zealand) may alleviate some of the national security concerns that were at the heart of Schrems. In any event, moving data across the Atlantic will continue to be a difficult and potentially perilous voyage for the foreseeable future. Accordingly, a good map and a careful navigator will be indispensable.
Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.